View more on these topics

Your last-minute checklist for GDPR

With implementation just around the corner, time is running out to get compliance right

You may be tired of hearing about it, but the General Data Protection Regulation is not going away. The 25 May implementation is just days away, so you need to make sure you are familiar with what is changing and the actions you need to take.

Your preparations should be at an advanced stage, but don’t panic if they are not. The following points are what you need to consider and act on.

Processing purpose

What personal data are you processing? This includes collecting, recording, organising, storing, adapting or altering any data that identifies a living person. You also need to establish the purposes and legal bases for all processing activities.

If you are using consent as a legal basis you need to consider whether it remains the most appropriate basis (it probably is not, with the exception of special category data and data used for marketing). You need to ensure it is obtained using the new GDPR standard, which you almost certainly did not apply for previously.

Third parties

Review contracts with organisations that act as data processors for the personal data you control: back office systems, compliance consultants and any party to which you pass your clients’ personal data as part of providing your services. GDPR requires contracts for all such arrangements, including compulsory clauses to make the responsibilities of both parties explicit.

Inform clients

Inform your clients about how and why you are using their personal data. This should be covered in your privacy notice which must be made available to all data subjects.

Privacy culture

Accountability and governance is key. You need to be able to demonstrate a culture of privacy within your firm. You need a staff facing data protection policy, you need to show that the privacy of your clients is properly considered in developing your processes (privacy by design) and that your staff are fully aware of the data protection principles and your internal application of them.

Data security  

Consider your data security policies closely. The days of sending personal data through unprotected emails are gone. Mobiles should be appropriately encrypted. Most security breaches will be reportable to the Information Commissioners Office.

Data retention

Aside from data security breaches, what are the likely risks for firms post implementation?

Data retention is the issue that has caused most debate in the build-up.

You will need a data retention policy, which will need to be included in your privacy notice for clients. With a long history of claims and missellling scandals, a suspicion that the regulators have applied retrospective standards and the lack of a long-stop for complaints, there is a common desire to retain client records indefinitely.

Are advisers GDPR ready?

Can this be done? On the face of it, indefinite retention would appear to go against the spirit and letter of GDPR, and current data protection law too. Unfortunately, there is not a definitive answer but there are several factors to help you to decide.

What is the data? Remember, you need to identify the data you hold and the purpose for its processing. You should not treat all data as one in deciding your retention policy. If you hold data relating to an expired contract for a client with whom you are no longer engaged, deciding to retain it forever is unreasonable.

Conversely, suitability records for pension transfer business need to be retained indefinitely. It is a regulatory requirement, so you have a legal responsibility.

Data policies need to be checked. The days of sending personal data via unprotected emails are gone

In between these extremes there are numerous scenarios to consider. While you maintain a relationship with a client, data retention is less of an issue.

With the exception of pension transfers, there are minimum data retention periods for suitability records depending on the type of business. These are minimal, so you can retain data for longer if you have a legal basis for it. This may be “legitimate interests”, in which case you need to assess whether or not your interests outweigh the rights and freedoms of the data subjects. Some organisations are using defined periods for retention once a client relationship has ended; seven years, for example.

There is a common misunderstanding that data can be retained for the possible defence of a future legal claim. “For the establishment, exercise or defence of legal claims” is a valid reason to refuse a request for data to be deleted, but it is not one of the legal bases for processing personal data in itself.

The Information Commissioner has said several times that 25 May is not the end but the beginning. It may be some time before test cases lend some clarity to some of the inherent contradictions between data controllers’ interests and the rights of individuals to control their personal data.

Jon Roberts is compliance policy consultant at Threesixty



Phil Wickenden: Reasons to be cheerful on GDPR

One week out from implementation, our research shows only around half of advisers are 100 per cent confident they are ready for the General Data Protection Regulation. GDPR represents the biggest ever change to how personal data is collected and handled. The fundamentals are quite simple: to give individuals more control over how their personal […]


Tim Sargisson: How GDPR will hurt adviser recruitment

The Global Data Protection Regulation comes into force in a little under two months but there seems precious little in the way of detail regarding its impact on financial services. The FCA and Information Commissioners Office did publish a joint update last month but it did not add very much in terms of information to […]

Compliance tip: Five steps to GDPR compliance

With the General Data Protection Regulation fast approaching, firms should be turning their attention to the necessary updates to policies, procedures and business practices required for ongoing compliance. This five-step framework will help guide you through the transition. Identify your data: It is essential firms have a clear understanding of the types of data they […]


FSCS gives Capita £37m claims handling contract

The Financial Services Compensation Scheme has chosen outsourcing firm Capita to manage its claims handling service in a contract worth £37m. FSCS claims handling processes were previously provided by three suppliers, including Capita. Under the terms of the contract, all services relating to the FSCS’s claims handling and customer services will be managed by Capita […]

Selecting a wrapper

In the past, some advisers have avoided the use of onshore investment bonds, and some still do. The image of bonds may have been tarnished in the past, however, the days of high allocations and commissions are gone. It is important to put these factors aside and look objectively at the benefits onshore bonds can […]


News and expert analysis straight to your inbox

Sign up


    Leave a comment